mtklein: Can you please take a look or reassign as appropriate? Thanks.

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5953068042813440

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5953068042813440

Uploader: mbarbella@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x10381034a686
Crash State:
  sk_ssse3::blit_mask_d32_a8
  SkBlitMask::BlitColor
  SkARGB32_Opaque_Blitter::blitMask
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=383194:384397

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97WDFNgKnck9RVpIx7_KkqjeiAYwLbTp9D4kbcoGrH0ZGc-NHAgJjZvI-x6f86Bx5KxrvOTb1ZPQrqfbtX3t9C7DL7tuxs8gffF8mf0DQ8J_QKhNwKimbwhjvvr9qJQs0v3u2_1gNVDLkObDcml7ZJWGBshhw
<style>
   * { writing-mode: vertical-lr; letter-spacing: 170141183460469231731687303715884105727mm;</style>
  븿z

mtklein: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Any update on this bug as it is marked as M52 stable blocker?

Oh, hadn't noticed there were two of these.  Probably a dupe of 619378.

Yeah, definitely looks like the same thing.

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/875e13ca0990e32da9db639743a913efe77f7e89

commit 875e13ca0990e32da9db639743a913efe77f7e89
Author: mtklein <mtklein@chromium.org>
Date: Sun Jun 19 12:28:33 2016

Simplify mask/clip intersection, making sure to explicitly check for an empty mask.

Previously we were only asserting the mask wasn't empty, which isn't necessarily true when we're given pathological float coordinates like +Inf or NaN.

A local run of nanobench --match text_ was not able to show this is faster or slower.

This patch fixed this first Chrome bug on my desktop, and the second is probably a dupe.
BUG= chromium:619378 , chromium:613912 

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2073873002

Review-Url: https://codereview.chromium.org/2073873002

[modify] https://crrev.com/875e13ca0990e32da9db639743a913efe77f7e89/src/core/SkDraw.cpp
[modify] https://crrev.com/875e13ca0990e32da9db639743a913efe77f7e89/tests/DrawTextTest.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9e60626f1eff0762824242bd6513faf9712e999b

commit 9e60626f1eff0762824242bd6513faf9712e999b
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Sun Jun 19 13:35:03 2016

Roll src/third_party/skia/ cc3a22b36..875e13ca0 (1 commit).

https://chromium.googlesource.com/skia.git/+log/cc3a22b369e1..875e13ca0990

$ git log cc3a22b36..875e13ca0 --date=short --no-merges --format='%ad %ae %s'
2016-06-19 mtklein Simplify mask/clip intersection, making sure to explicitly check for an empty mask.

BUG= 619378 , 613912 

CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel
TBR=brianosman@google.com

Review-Url: https://codereview.chromium.org/2074343002
Cr-Commit-Position: refs/heads/master@{#400619}

[modify] https://crrev.com/9e60626f1eff0762824242bd6513faf9712e999b/DEPS

ClusterFuzz has detected this issue as fixed in range 400618:400619.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5953068042813440

Uploader: mbarbella@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x10381034a686
Crash State:
  sk_ssse3::blit_mask_d32_a8
  SkBlitMask::BlitColor
  SkARGB32_Opaque_Blitter::blitMask
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=383194:384397
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=400618:400619

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97WDFNgKnck9RVpIx7_KkqjeiAYwLbTp9D4kbcoGrH0ZGc-NHAgJjZvI-x6f86Bx5KxrvOTb1ZPQrqfbtX3t9C7DL7tuxs8gffF8mf0DQ8J_QKhNwKimbwhjvvr9qJQs0v3u2_1gNVDLkObDcml7ZJWGBshhw?testcase_id=5953068042813440
<style>
   * { writing-mode: vertical-lr; letter-spacing: 170141183460469231731687303715884105727mm;</style>
  븿z

ClusterFuzz has detected this issue as fixed in range 37060:37109.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4548163671425024

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_chrome_v8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x103513eabe86
Crash State:
  Sk4px::Load4
  void Sk4px::MapDstAlpha<sk_ssse3::blit_mask_d32_a8_black
  sk_ssse3::blit_mask_d32_a8_black
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8&range=35065:35144
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8&range=37060:37109

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97fv_Og6m8xR-d-DKu1XMNJxdM94z3uyJZhhEW5K0OkzaliwH_74IDuO21eMBhmt0hdqNnzjCxwRoXa18p7N8AIM9Z2ThOTfAowYqhPFsLqBr7zNfk7S68_SXMQVm62YcONri9hE7qH733wsg4y6IYtRc28kw?testcase_id=4548163671425024
<style>
   * { writing-mode: vertical-lr; letter-spacing: 170141183460469231731687303715884105727mm;</style>
  븿z

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/c20d6706cc0220956c43a020a1a71c4e73a468e0

commit c20d6706cc0220956c43a020a1a71c4e73a468e0
Author: mtklein <mtklein@chromium.org>
Date: Tue Jun 21 19:03:37 2016

Cherry-pick 875e13ca0 to M52.

TBR=

Original description:
    Simplify mask/clip intersection, making sure to explicitly check for an empty mask.

    Previously we were only asserting the mask wasn't empty, which isn't necessarily true when we're given pathological float coordinates like +Inf or NaN.

    A local run of nanobench --match text_ was not able to show this is faster or slower.

    This patch fixed this first Chrome bug on my desktop, and the second is probably a dupe.
    BUG= chromium:619378 , chromium:613912 

    GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2073873002

    Review-Url: https://codereview.chromium.org/2073873002
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=2085023002
NOTREECHECKS=true
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2085023002

[modify] https://crrev.com/c20d6706cc0220956c43a020a1a71c4e73a468e0/src/core/SkDraw.cpp
[modify] https://crrev.com/c20d6706cc0220956c43a020a1a71c4e73a468e0/tests/DrawTextTest.cpp

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot